[go: up one dir, main page]

CN101855864A - Apparatus and method for deploying a wireless network intrusion detection system to resource-constrained devices - Google Patents

Apparatus and method for deploying a wireless network intrusion detection system to resource-constrained devices Download PDF

Info

Publication number
CN101855864A
CN101855864A CN200880115442A CN200880115442A CN101855864A CN 101855864 A CN101855864 A CN 101855864A CN 200880115442 A CN200880115442 A CN 200880115442A CN 200880115442 A CN200880115442 A CN 200880115442A CN 101855864 A CN101855864 A CN 101855864A
Authority
CN
China
Prior art keywords
wireless device
spy routine
wireless
packet
marker
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN200880115442A
Other languages
Chinese (zh)
Other versions
CN101855864B (en
Inventor
S·耶尔马尔
A·K·辛赫
K·S·拉马纳桑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Honeywell International Inc
Original Assignee
Honeywell International Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Honeywell International Inc filed Critical Honeywell International Inc
Publication of CN101855864A publication Critical patent/CN101855864A/en
Application granted granted Critical
Publication of CN101855864B publication Critical patent/CN101855864B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W24/00Supervisory, monitoring or testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W84/00Network topologies
    • H04W84/02Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
    • H04W84/10Small scale networks; Flat hierarchical networks
    • H04W84/14WLL [Wireless Local Loop]; RLL [Radio Local Loop]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/02Terminal devices

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Small-Scale Networks (AREA)
  • Alarm Systems (AREA)

Abstract

Wireless devices, such as field devices (104a-104n) or repeater/relay nodes (106a-106e), detect the presence of anomalies in data packets that suggest intrusion. Upon detection of an anomaly, a wireless device sends a notification to a sentinel device (114), which determines if intrusion may be occurring. If so, the sentinel device downloads a spy routine to at least one of the wireless devices, which enables further investigation into and/or isolation of the intrusion. Since the spy routine is downloaded to the wireless devices, the spy routine can be used in conjunction with memory-constrained wireless devices. Memory-constrained wireless devices may lack adequate memory (604, 606, 608) for storing both a main application executed during normal operation and the spy routine. The spy routine could overwrite one or more modules of the main application. Once executed, the spy routine could itself be overwritten by the one or more modules, allowing the wireless device to return to normal operation.

Description

Be used for disposing the equipment and the method for wireless network intrusion detection system to resource-constrained devices
The cross reference of related application
The application is the U.S. Patent application No.11/752 that submits on May 23rd, 2007,308 cip application, and this U.S. Patent application is incorporated into for your guidance thus.
Technical field
The disclosure relates generally to the safety in the wireless network, and relates more specifically to be used for installing the equipment and the method for disposing wireless network intrusion detection system to resource-constrained (resource-constrained).
Background technology
Wireless network is represented the communication network that is formed by the device that carries out radio communication by wireless medium usually.Some examples of wireless network comprise wireless lan (wlan) and cellular communications networks.
The wireless device that forms the part wireless network is typically connected to wireless network and operation and do not need fixing or known position in wireless network, is usually located at the cable network of known tie point unlike non-wireless means wherein.Therefore, compare with cable network, without permission or " rogue " wireless device probability of being connected to wireless network can increase usually.Generally speaking, any system or device of " invador (intruder) " representative to wireless network transmissions unwarranted (or other do not expect) grouping.In the wireless network these " invasion " normally do not expect, and can adopt intruding detection system to detect in wireless network and/or prevent these invasions.
In existing intruding detection system, the wireless security parts are deployed in the wireless network, and the wireless security parts monitor all or the most of communication service (packet) receive on wireless network.For example, the wireless security parts can stores packets and are analyzed institute's stored packet then and show may invade any unusual with detection.
A problem of this method is that the wireless device in the wireless network is stored limited (memory constrained) often and/or power limited.This may become particular problem in the environment such as industrial process control system.Constrained devices can comprise wireless field device (such as wireless senser) and other wireless device (such as intermediate node).This problem often constitutes difficulty when the wireless security parts must reside on the limited wireless device and be carried out by limited wireless device.
Summary of the invention
The disclosure provides a kind of equipment and method that is used for disposing wireless network intrusion detection system to resource-constrained devices.
In first embodiment, a kind of system comprises a plurality of wireless devices that are configured to receive by wireless medium packet.In the described wireless device at least one is configured to detect be associated with the packet that is received one or more unusual.System also comprises marker (sentinel) device, and this marker device is configured to the one or more transmission spy routine (spy routine) in wireless device in response to one or more unusual detections.Whether one or more wireless devices also are configured to carry out this spy routine and are the invadors and/or isolate this transmitter with the transmitter of facilitating definite packet that is received.
In a particular embodiment, this marker device is configured to also determine whether this wireless device is the limited wireless device of storage before transmitting spy routine to one of wireless device.
In other specific embodiment, store limited wireless device and also be configured to during normal running, carry out primary application program, wherein this primary application program comprises a plurality of modules.Storing limited radio node also is configured to replace in described a plurality of module at least one with this spy routine.At least one module may be optional for the steady state operation of the limited wireless device of storage, and can replace at least one module under the situation that does not make the limited wireless device off line of storage.Storing limited radio node also is configured to: receive at least one module from external source; And under the situation that does not make the limited wireless device off line of storage, replace this spy routine and turn back to normal running so that store limited wireless device with the module that at least one received.
In other specific embodiments, this marker device is configured to spy routine is sent to first subclass of wireless device.In addition, this spy routine resides on second subclass of wireless device, and this marker device is configured to the spy routine in second subclass of activation of wireless device.
In other specific embodiment, the first wireless device that this marker device is configured to from wireless device receives and one or more notices that are associated unusually, and this detective's device is configured to spy routine is sent to second wireless device in the wireless device.This second wireless device can be than the more close transmitter of first wireless device.
In other specific embodiment, the one or more wireless field device that a plurality of wireless devices comprise one or more wireless repeaters or the via node in the wireless network and/or are configured to communicate with wireless network.
In a second embodiment, a kind of method is included in the wireless device place and receives packet from transmitter.This method also comprises and detects be associated with packet one or more unusual and one or more unusual and transmit and notify in response to detecting.This method also is included in wireless device place reception spy routine and carries out this spy routine and determine to facilitate whether this transmitter is the invador and/or isolates this transmitter.
In the 3rd embodiment, a kind of equipment comprises the wave point that is configured to receive from transmitter packet.This equipment also comprises at least one processor, and described at least one processor is configured to detect be associated with packet one or more unusual and in response to detecting one or more unusual and transmission of initiate notification.Described at least one processor also is configured to receive spy routine and carries out this spy routine and determine to facilitate whether transmitter is the invador and/or isolates this transmitter.
In the 4th embodiment, on computer readable medium, comprise a kind of computer program.This computer program comprises and is used for receiving packet and being used to detect the one or more unusual computer readable program code that is associated with packet from transmitter.This computer program also comprises and being used in response to detecting one or more computer readable program codes that transmit notice unusually.This computer program also comprises and is used to receive spy routine and carries out this spy routine to facilitate whether definite this transmitter is invador and/or the computer readable program code of isolating this transmitter.
In the 5th embodiment, a kind of method comprises from one of a plurality of wireless devices reception notification, and what wherein this notice and wireless device were detected one or morely is associated unusually.This method comprises that also transmitting spy routine arrives at least one wireless device.Whether this spy routine facilitates the transmitter of determining in the wireless network to be the invador and/or to isolate this transmitter.
In the 6th embodiment, a kind of equipment comprises and being configured to from the notification received interface of one of a plurality of wireless devices, and what wherein this notice and wireless device were detected one or morely is associated unusually.This equipment also comprises at least one processor, and described at least one processor is configured to discern at least one in the wireless device and starts spy routine is sent at least one wireless device.Whether this spy routine facilitates the transmitter of determining in the wireless network to be the invador and/or to isolate this transmitter.
In the 7th embodiment, on computer readable medium, comprise a kind of computer program.This computer program comprises and being used for from the notification received computer readable program code of one of a plurality of wireless devices, and what wherein this notice and wireless device were detected one or morely is associated unusually.This computer program also comprises and is used to transmit the computer readable program code of spy routine at least one wireless device.Whether this spy routine facilitates the transmitter of determining in the wireless network to be the invador and/or to isolate this transmitter.
By following figure, specification and claims, those skilled in the art can apparent easily other technical characterictic.
Description of drawings
In order more completely to understand the disclosure, now in conjunction with the accompanying drawings with reference to following specification, in the accompanying drawings:
Fig. 1 diagram is according to example wireless network intruding detection system of the present disclosure;
Fig. 2 diagram is according to the exemplary method that is used for intrusion detection of the present disclosure;
Fig. 3 diagram is according to the exemplary method that is used for finishing at wireless device the execution of spy routine of the present disclosure;
Fig. 4 diagram is according to the exemplary method that is used for realizing at wireless network intrusion detection of the present disclosure;
Fig. 5 A and 5B diagram are according to example invasion situation of the present disclosure;
Fig. 6 diagram is according to example marker or wireless device in the wireless network intrusion detection system of the present disclosure; And
Fig. 7 diagram is according to the configuration of the example memory in the wireless device of the present disclosure.
Embodiment
Each embodiment that Fig. 1 to 7 and being used for describes the principle of the invention only should not be interpreted as limiting scope of invention as illustration by any way in patent document.Skilled person in the art will appreciate that the principle that can in the device of the suitably-arranged of any kind or system, carry out an invention.
Fig. 1 diagram is according to example wireless network intruding detection system 100 of the present disclosure.The embodiment of wireless network intrusion detection system 100 shown in Figure 1 only is used for illustration.Under the situation that does not depart from the scope of the present disclosure, can use other embodiment of wireless network intrusion detection system 100.
As shown in Figure 1, system 100 comprises wireless network 102.In this example, wireless network 102 comprises one or more wireless field device 104a-104n, repeater system 106 and radio network gateway 108.The wireless device of the field device 104a-104n representative various functions in can executive system 100.For example, field device 104a-104n can be used to monitor or control the various aspects of industrial process control environment.As specific example, field device 104a-104n can represent transducer (such as temperature sensor or pressure sensor) and the actuator that is used to monitor and control the various aspects of industrial process control environment.Field device 104a-104n also can operate according to the control command that receives from repeater system 106.In certain embodiments, field device 104a-104n provides the process values (such as temperature or force value) of controlled each apparatus or accepts to be used for the controlling value of control device (such as actuator) from repeater system 106 to repeater system 106.Field device 104a-104n can use any suitable wireless technology to communicate, such as frequency-hopping spread spectrum (FHSS) technology.Although not shown, system 100 also can comprise by the wired field devices that the thread path connection is arranged and communicate by wire link.Each field device 104a-104n can comprise any suitable hardware, software, firmware or its combination that are used for sending and/or receiving at wireless network data.
Repeater system 106 comprises radio node 106a-106e, and it represents the wireless device of operating as the intermediate node (such as repeater or via node) in the communication path that comes and goes field device 104a-104n.Communication path between gateway 108 and the field device can comprise one or more radio node 106a-106e that operate as repeater/via node.Each radio node 106a-106e can " listen to " packet of transmitting and be sent to the packet of this radio node to check plan on wireless medium.Radio node can representative data terminal recipient's (it can be determined based on the destination network address field in the packet) of grouping or the repeater/via node (it can be determined based on the destination medium access control in the packet or " MAC " level address field) of packet.Each radio node 106a-106e comprise any suitable being used to facilitate past/return hardware, software, firmware or its combination, such as wireless router or wireless repeater in the radio communication of field device 104a-104n.
Gateway 108 is facilitated the communication between wireless network 102 and external system or the parts.For example, gateway 108 can receive packet and packet is offered external system or parts from one or more radio node 106a-106e.Gateway 108 also can receive packet and packet is offered one or more radio node 106a-106e from external system or parts.Gateway 108 can also be carried out conversion (translation) function to change between the different agreement by external system or parts and radio node 106a-106e use.Gateway 108 comprises that any suitable being used to facilitate the hardware of the communication between wireless network and one or more external device (ED) or the system, software, firmware or its combination.
In certain embodiments, gateway 108 and field device 104a-104n can be regarded as terminal system or device, and radio node 106a-106e can operate to transmit grouping between terminal system or device.Generally speaking, concrete node that packet is finally gone to or device can be determined by the map network address (such as the internet protocol address) of grouping, and radio node 106a-106e can forward the packet to next node or destination device according to the network address that is included in the grouping.As described below, radio node (being implemented as the single physical unit) can be operated with auxiliary intrusion detection and transmit grouping simultaneously in wireless network 102.The intrusion detection of wireless field device in also can assist wireless network 102.
In this example, control station 110 is coupled to radio network gateway 108.Control station 110 operations are with the operation of control field device 104a-104n.For example, control station 110 can send to output device (such as actuator) among the field device 104a-104n with controlling value via gateway 108 and one or more radio node 106a-106e.The process values that control station 110 also can receive from the input unit among the field device 104a-104n (such as temperature or pressure sensor) via one or more radio node 106a-106e and gateway 108.Control station 110 can generate controlling value according to any suitable control strategy, and described controlling value can be based on the process values that is received.In addition, as noted above, field device 104a-104n can use any suitable wireless technology to communicate, as the FHSS technology.In these embodiments, control station 110 distributes various parameters to use FHSS or other wireless communication technology to facilitate can for field device 104a-104n.As specific example, control station 110 can distribute the time slot and the network address for each field device 104a-104n.In addition, control station 110 can be connected to generation and the operation of each other parts (such as database server, management server or operator terminal) to facilitate control strategy.Control station 110 comprises that any suitable being used to control the hardware of field device 104a-104n, software, firmware or its combination, such as desktop computer, laptop computer or other calculation element.
In the communication period from control station 110, radio network gateway 108 can receive order or other data and (via repeater system 106) will order by wireless medium or other data send to suitable field device 104a-104n from control station 110.Similarly, gateway 108 can (via repeater system 106) offer control station 110 by wireless medium from each field device 104a-104n receiving course value and with these values.Field device 104a-104n, repeater system 106 and gateway 108 can use any suitable wireless signal to communicate such as radio frequency (RF) signal.Field device 104a-104n, repeater system 106 and gateway 108 also can use any suitable one or more wireless protocols to communicate, such as FHSS, 802.11 or (one or more) other wireless protocols.
Key server 112 generates the key that is used for the data that encryption and decryption transmit in system 100, and described data are such as in data of transmitting between control station 110 and the wireless network 102 or the data of transmitting between radio node 106a-106e and field device 104a-104n.Key server 112 is also transmitted key to radio network gateway 108, this radio network gateway 108 and then transmit suitable key to proper device (such as radio node 106a-106e and field device 104a-104n).Key server 112 is returned (following) marker 114 provides key information to be used to detect the invasion to wireless network 102.Key server 112 comprises any suitable hardware, software, firmware or its combination that are used for providing encryption key to the parts of system 100.Key server 112 also can be supported in and use any suitable encryption mechanism in the system 100, such as symmetry or asymmetric secret key encryption method.
Marker 114 (also being known as the marker device) can be via gateway 108 from radio node 106a-106e or field device 104a-104n reception notification, such as message grouping or other signal.During possible abnormal behaviour in detecting wireless network 102, can transmit by radio node 106a-106e or field device 104a-104n and notify marker 114.Possible abnormal behaviour in the wireless network 102 can be indicated unauthorized device invasion wireless network 102.Separately or in conjunction with decision system 116, marker 114 can be handled described notice to determine whether to indicate the invasion to wireless network 102.If then marker 114 can activate spy routine among (one or more) suitable radio node 106a-106e and/or (one or more) field device 104a-104n with identification more specifically or oppose (combat) this invasion.As described below, marker 114 also can download to spy routine among (one or more) suitable radio node 106a-106e and/or (one or more) field device 104a-104n before activating spy routine in (perhaps before the automatic activation in spy routine).The following describes the operation and the mode that can detect the invasion in the wireless network 102 of spy routine with it.Marker 114 comprises that any suitable being used for detects the hardware of the invasion of wireless network, software, firmware or its combination.
Decision system 116 can be used for more clearly determining whether taking place the invasion to wireless network 102.Decision system 116 can use any suitable technique to detect possible invasion.For example, decision system 116 can be used decision rule collection (such as by using the SNORT decision engine that can obtain at the Snort Store place of the c/o Artesian City Marketing of the Prattville of Alabama), and this decision rule collection is specified and determined to invade used mode.Decision system 116 also can the probability of use technology be discerned may invade wireless network 102.(one or more) any other or in addition technology can be used for detecting may invade to wireless network.Decision system 116 comprises that any suitable being used to detects the hardware that may invade, software, firmware or its combination to wireless network.Separate though be shown with marker 114, decision system 116 functional may be implemented within the marker 114 or incorporates in the marker 114.
One or more operator terminals 118 are coupled to other parts of marker 114 and/or system 100.Operator terminal 118 allows data are offered one or more operators and receive data from one or more operators.For example, operator terminal 118 can provide suitable user interface (such as display), if suspect or detect invasion to wireless network 102, then marker 114 can give the alarm by this user interface.Then the operator can via operator terminal 118 (such as by using keyboard) artificially send investigation order (replace automation intrusion detection process or in addition) thus further determine the character of invasion and the startup measure from the operating space of network 102, to remove the invador.Yet should be noted that under and can determine and oppose at least some invasions without any the situation of operator intervention.Each operator terminal 118 comprises any suitable mutual structure of operator and system 100 of facilitating, such as desktop computer, laptop computer or personal digital assistant.
Each parts among Fig. 1 can be coupling in together via any suitable wired or wireless connection.For example, control station 110, key server 112 and marker 114 can use wired connection and be coupled to gateway 108, and decision system 116 and operator terminal 118 can use wired connection and be coupled to marker 114.As another example, radio node 106a-106e can use wireless connections with each other, field device 104a-104n and gateway 108 communicate.In system 100, can use any suitable wired and wireless connections.As specific example, on behalf of Ethernet, wired connection can connect or other electric data connect.
In an operating aspect, radio node 106a-106e or field device 104a-104n can check the packet that is received at one or more unusual existence.The packet of being checked can comprise radio node 106a-106e in the destination address field or the address of field device 104a-104n.Radio node 106a-106e or field device 104a-104n can one or morely send message grouping or other notices to marker 114 when unusual determining to exist.Marker 114 can be handled whether this notice represents wireless network 102 with the transmitter of specified data grouping possible invador.If then marker 114 activates the spy routine among one or more among radio node 106a-106e and/or the field device 104a-104n.This spy routine can make the transmitter of packet participate in further, and whether dialogue is invador's investigation to continue about transmitter really.Because radio node 106a-106e and/or field device 104a-104n can take place until unusual condition or incident in normal running, detect the required additional power consumption of invasion so can be reduced to.This may expect when using for device such as the battery powered radio node 106a-106e of power limited or field device 104a-104n.
In another operating aspect, marker 114 can make spy routine download to radio node 106a-106e or field device 104a-104n before the spy routine in activating radio node 106a-106e or field device 104a-104n.Thus, do not require that radio node 106a-106e or field device 104a-104n store this spy routine all the time.For example, this can allow radio node 106a-106e or field device 104a-104n only to be stored as the required application program of normal running of radio node 106a-106e or field device 104a-104n in its most of operating period.(such as only after detecting possible invasion) ability downloads to spy routine radio node 106a-106e or field device 104a-104n and activates spy routine only when needed.In case spy routine is complete, just can be for example cover spy routine among radio node 106a-106e or the field device 104a-104n to radio node 106a-106e or field device 104a-104n by downloading one or more application programs, thus the normal running of permitting radio node 106a-106e or field device 104a-104n once more.In this way, in radio node 106a-106e or field device 104a-104n, do not need to be used for the memory of permanent storage spy routine.This is for expecting when limited device such as radio node 106a-106e with little amount of memory or field device 104a-104n use for storing.
In another operating aspect, except at the grouping that abnormal examination transmitted, radio node 106a-106e can also transmit and be grouped into terminal installation (such as field device 104a-104n or gateway 108).Owing in single assembly, implement these two features, can reduce the number of components in the wireless network 102 potentially.Similarly, except dividing into groups at abnormal examination, field device 104a-104n can carry out other function (such as sending transducer or pressure data and reception control data).Owing to such feature, therefore can strengthen the coverage (coverage) of intrusion detection in the wireless network 102.
Although Fig. 1 illustrates an example of wireless network intrusion detection system 100, can carry out various changes to Fig. 1.For example, function division shown in Figure 1 only is used for illustration.According to specific needs, can make up or omit each parts among Fig. 1 and can add optional feature.As specific example, key server 112, marker 114 and decision system 116 may be implemented as the part of control station 110.In addition, system 100 may be implemented as the part of any appropriate system of using wireless network.As specific example, the system 100 of Fig. 1 can be used as industrial process control system or be used for industrial process control system and be illustrated as only comprising representative elements or the system that is used for illustration.Real world environment or system can comprise understands conspicuous spare system or parts to those skilled in the art.In addition, Fig. 1 illustrates an operating environment wherein can using the wireless network intrusion detection.The wireless network intrusion detection feature can be used for any other suitable system and use with any suitable wireless network environment.
Fig. 2 illustrates according to the exemplary method 200 that is used for intrusion detection of the present disclosure.The embodiment of method 200 shown in Figure 2 only is used for illustration.Other embodiment that can using method 200 under the situation that does not depart from the scope of the present disclosure.In addition, for convenience of explanation for the purpose of, come illustration method 200 about the radio node 106a in the repeater system 106 of Fig. 1.Method 200 can be used and is used for any suitable system or environment such as wireless field device by any suitable device.
Receive packet at step 202 wireless device.This can comprise that radio node 106a for example receives packet from field device 104a-104n, gateway 108 or to the invador of wireless network 102.Destination address field in the packet can be indicated packet is directed to radio node 106a, means that the final expectation recipient of packet is radio node 106a.Destination address field in the packet also can be indicated packet is directed to another device, and the final expectation recipient who means packet is not radio node 106a (and radio node 106a can transmit this packet).In certain embodiments, radio node 106a can only analyze the packet of planning to be sent to radio node 106a.In other embodiments, radio node 106a also can analyze the packet of planning to be sent to other device.
Because the broadcast nature of wireless medium can receive a plurality of packets at the antenna place of wireless device.Whether specific data packet is directed into the value in the destination address field that concrete wireless device may depend on packet.Wireless device also can be assigned with the different addresses (such as mac-layer address, network layer address and object identifier) of different agreement layer.Thereby when packet comprised the address (according to convention at the corresponding protocols layer) of wireless device in destination address field, packet can be considered to be directed into wireless device.Although can receive unicast data grouping (grouping) usually, also can use multicast or broadcast address to come packet is directed to wireless device and other device with address of indication single assembly.
At step 204 wireless device at one or more abnormal examination packets." unusually " be commonly referred to as with the normal, expected behavior depart from and/or (one or more) any other can be indicated departing from the invasion of wireless network.Can be at specifically checking packet unusually, this may draw the conclusion that may invade.In certain embodiments, wireless device can check that the MAC level is unusual, network level is unusual and security level unusual (but can detect other or type unusual in addition).
If wireless device does not detect one or more unusual, then step 206 wireless device to data grouping make response.This for example can comprise radio node 106a to data grouping make response seemingly this packet be that normal (non-invasion) packet is the same.As specific example, radio node 106a can transmit packet next device (such as another radio node, field device, gateway or other device) in the transmission path.Radio node 106a also can send to the transmitter that provides packet to arrive radio node 106a and confirm.
If detect one or more unusually at step 204 wireless device, then send the notification to marker at step 208 wireless device.In certain embodiments, this notice representative message of comprising or discern the character of (one or more) unusual condition that radio node 106a detected or (one or more) incident is divided into groups.The grouping of this message also can comprise or time of reception of recognition data grouping, the address of device that sends this packet and the packet itself that is received.In other embodiments, message grouping can only comprise or discern the packet that is associated with (one or more) unusual condition or (one or more) incident that is received.Generally speaking, can in the message grouping, be sent as marker 114 by radio node 106 and further handle required information.
Determine whether to receive the positive response of indication invasion at step 210 wireless device.For example, the message response packet as to sending in step 208 can receive respond packet from marker 114.In certain embodiments, can be only when marker 114 be determined to have detected potential invador, radio node 106a just receives respond packet.Even the time also can not receive respond packet when marker 114 detects invasion, and whether the transmitter that this respond packet can the designation data grouping is potential invador yet in other embodiments.In these other embodiment, step 210 can relate to the content of the respond packet that the wireless device inspection received to determine whether to suspect or detect invasion.This respond packet can be generated by marker 114, and as shown in Figure 4, this is described below.
If do not receive positive response, the transmitter that does not receive positive response or respond the grouping of designation data not in appointed interval is the invador potentially, and then this method 200 can finish.Wireless device does not need to take any further measure further to investigate or oppose invasion this moment.According to execution mode, wireless device can or can be not to abnormal data grouping make response.
If receiving the transmitter of positive response or the grouping of response designation data is the invador potentially, then wireless device can be taken steps with further investigation or be opposed potential invasion.For example, if be not that storage is limited, then activate spy routine at step 214 wireless device at step 212 wireless device.This can comprise for example execution of radio node 106a startup spy routine, and it is realized the further investigation that may invade (and thereby realizing determining to invade with higher probability level).Not that the limited wireless device of storage can be represented and comprises the device that is used at enough memories of storage spy routine of tediously long time period (during the extension period in the normal running of wireless device).About wireless device whether be storage limited determine can be based on any appropriate information, such as the information that provides by the operator or the information of collecting from wireless device by marker 114.
If at step 212 wireless device is that storage is limited, then download and activate automatically then spy routine at step 216 wireless device.This can comprise that for example radio node 106a receives spy routine from marker 114.This can also comprise that radio node 106a covers one or more other application programs in its memory with spy routine.Store limited wireless device and can represent the device that does not comprise the enough memories that are used on the tediously long time period storage spy routine.Spy routine can be in any suitable manner such as dynamically downloading to wireless device by the wired or wireless connection between wireless device and marker 114 or other device.In addition, can wireless device not under the situation of off line (such as when device continues steady state operation) spy routine downloaded to wireless device and in wireless device, carry out.
When activating spy routine, wireless device can be carried out various operations.For example, in certain embodiments, wireless device can and determine whether to receive appropriate responsive from potential invador to potential invador's transmission " challenge ".This challenge can be stored in the wireless device by in advance in (before the invasion that is detected).In other embodiments, the wireless device bit that can send encryption flows to potential invador and request is returned bit stream with the form of deciphering.Not receiving correct (expection) response from potential invador can further strengthen the early stage of invasion determined.The above-mentioned technique for investigation of spy routine only is provided as example and is non exhaustive.Can adopt any suitable inquiry and intended response pattern or other technique for investigation to come to determine invasion with bigger certainty.
Although Fig. 2 illustrates an example that is used for intrusion method for testing 200, can make various changes to Fig. 2.For example, though be illustrated as series of steps, each step among Fig. 2 can overlapping, parallelly take place or take place repeatedly.As specific example, in certain embodiments, can carry out method 200 shown in Figure 2 for each packet that wireless device receives.In other embodiments, can be each execution method 200 shown in Figure 2 in the packet subclass of wireless device reception.In addition, although illustrated based on individual data and divide into groups to detect unusual condition, can determine unusual condition such as a plurality of groupings that receive successively from identical transmitter (external wireless dispensing device) based on a plurality of groupings.And, although wireless device be illustrated as detect unusual and activate spy routine the two, but marker 114 can send a response to radio node 106a-106e or field device 104a-104n and activate spy routine among arbitrary radio node 106a-106e or the field device 104a-104n, thereby allows spy routine to activate spy routine in (one or more) suitable radio node and/or (one or more) field device.In addition, the operation of a plurality of wireless devices can be consistent with the operation of marker 114 to realize effective intrusion detection and isolation.In addition, Fig. 2 only illustrated when wireless device be that spy routine is just downloaded in storage when limited.In other embodiments, limited no matter whether wireless device is stored, can download to wireless device to spy routine.
Fig. 3 illustrates according to the exemplary method 300 that is used for finishing at wireless device the execution of spy routine of the present disclosure.The embodiment of method 300 shown in Figure 3 only is used for illustration.Other embodiment that can using method 300 under the situation that does not depart from the scope of the present disclosure.In addition, for convenience of explanation for the purpose of, come illustration method 300 about the radio node 106a in the repeater system 106 of Fig. 1.Method 300 can be used and is used for any suitable system or environment such as wireless field device by any suitable device.
Finish the execution of spy routine at step 302 wireless device.This can comprise that for example radio node 106a sends suitable inquiry to possible invador.This also can or can not comprise from possible invador and receives response.If be received, then this can comprise also that radio node 106a determines whether the response that is received mates the response of expection.The result who is generated by spy routine can be provided to marker 114, and whether this marker (by oneself or by decision system 116) can be made about possible invador is the final definite of invador really.
Determine whether to have downloaded spy routine at step 304 wireless device.If not, then in step 306 deexcitation (in-activate) spy routine.This can comprise that for example radio node 106a stops the execution of spy routine and turns back to normal running.In this case, wireless device can be represented and can carry out its normal running and allow spy routine to be retained in the limited device of non-storage in the memory of wireless device simultaneously.
If downloaded spy routine, then download other code and cover spy routine in step 308.The spy routine that this can comprise in the cancellation of radio node 106a for example (revoke) its memory means that the memory cell that radio node 106a no longer will wherein store spy routine is considered as comprising valid data.This can comprise that also radio node 106a downloads one or more application programs (or its parts) from appropriate source such as control station 110 or marker 114.One or more application programs of being downloaded can be represented the application program that is capped in the memory at wireless device when downloading spy routine.Radio node 106a can carry out the application program of being downloaded then and turn back to normal running.
In this way, can carry out spy routine to each device in the system, described device comprises the limited wireless device of storage that may otherwise can carry out spy routine.As a result, detect and the ability to the invasion of wireless network 102 of isolating can be expanded be the wireless device that comprises that storage is limited.
Although Fig. 3 illustrates an example of method 300 that is used for finishing at wireless device the execution of spy routine, can make various changes to Fig. 3.For example, though be illustrated as series of steps, each step among Fig. 3 can overlapping, parallelly take place or take place repeatedly.In addition, Fig. 3 only illustrated when wireless device be that storage is just cancelled when limited and covered spy routine.In other embodiments, no matter whether wireless device is that storage is limited, can in wireless device, cancel and may cover spy routine.
Fig. 4 illustrates the exemplary method 400 that is used for realizing at wireless network intrusion detection according to of the present disclosure.The embodiment of method 400 shown in Figure 4 only is used for illustration.Other embodiment that can using method 400 under the situation that does not depart from the scope of the present disclosure.In addition, for convenience of explanation for the purpose of, come illustration method 400 about the marker 114 in the system 100 of Fig. 1.Method 400 can be used in any suitable system or environment by any suitable device.
Receive one or more notices of one or more unusual conditions of indication or incident at step 402 marker.This can comprise that for example at least one from radio node 106a-106e and/or field device 104a-104n of marker 114 receives one or more message groupings.Can detect one or more unusual based on (one or more) corresponding radio node or (one or more) one or more packets that field device received.Described one or more unusually can be unusual corresponding to the MAC level, network level is unusual and security level is unusual.The grouping of each message can comprise or discern the address of device of time that unusual character, radio node or field device receive packet, transmission (one or more) packet and (one or more) packet that is received.Each message grouping also can only comprise the copy of (one or more) packet that is received.
The content of handling one or more notices at step 404 marker is to determine whether to suspect invasion.In certain embodiments, marker 114 can keep from the occurrence record of the potential unusual condition of all radio node 106a-106e and/or field device 104a-104n or incident and can determine invasion based on statistical technique.Marker 114 also can be determined invasion based on decision rule collection (such as using the SNORT decision engine), and this decision rule collection is specified the mode of determining that invasion is used.Marker 114 can also be transmitted (one or more) message and be grouped into decision system 116, and this decision system can be carried out processing to determine invasion based on probability, rule-based or other technology.
If do not suspect invasion in step 406, then method 400 can finish.At this moment, marker 114 can not need to carry out any other measure.Marker 114 does not suspect invasion (such as in the main body of respond packet) also can for one or more the informing among radio node 106a-106e and/or the field device 104a-104n.As specific example, possible is can cause because of maintenance issues unusually.In this case, marker 114 can not take further measures, and method 400 finishes.During safeguarding, wireless device can temporarily be not useable for normal running and therefore can not received by other operating means under its address normal condition.If the wireless device that experience is safeguarded inadvertently sends grouping, then this may be labeled as unusual by another wireless device but be confirmed as the invador that is not potential at the marker place.
If suspect invasion, whether be that storage is limited then at the definite wireless device that will carry out spy routine of step 408 marker in step 406.These data that can comprise that marker for example 114 uses operators, wireless device or other source to provide determine specific wireless device whether be store limited.
If will carry out the wireless device of spy routine is that storage is limited, then at step 410 marker spy routine is downloaded to wireless device.This can comprise that marker 114 for example gives one or more spy routine that provide among radio node 106a-106e and/or the field device 104a-104n by wired or wireless connection.Wireless device can automatically perform spy routine then.Otherwise, the spy routine in step 412 marker activation of wireless device.This can comprise that for example sending one or more respond packet at step 412 marker arrives wireless device.Respond packet thereby can be counted as is asked further investigation (RFI) and can be provided for corresponding wireless device by safe lane (content of encrypted response grouping is provided such as the symmetry by using key server 112 to provide, asymmetric or other key).In these steps, marker 114 also can be provided to wireless device to suspection invador's the network address.In certain embodiments, marker 114 can also (such as via operator terminal 118) offers the operator to " invasion " alarm together with suspection invador's zone or other positional information (its can based on the transmission route information that comprises in the following message grouping).
In a particular embodiment, spy routine is activated (and may be downloaded to the most approaching wireless device of suspecting the invador) in the most approaching wireless device of suspecting the invador.Marker 114 can be discerned this wireless device in any suitable manner.For example, marker 114 can be according to the definite transmission route from suspection invador (transmitter that comprises one or more one or more packets unusually) of one or more message groupings.Marker 114 can also be discerned the most close wireless device (such as one of radio node 106a-106e) of suspecting the invador.Among radio node 106a-106e and/or the field device 104a-104n roughly or relative position can (such as by control station 110, by the operator at operator terminal 118 places or by some other configuration datas) be offered marker 114 in advance.
Although Fig. 4 illustrates an example that is used for realizing at wireless network intrusion method for testing 400, can make various changes to Fig. 4.For example, though be illustrated as series of steps, each step among Fig. 4 can overlapping, parallelly take place or take place repeatedly.In addition, can determine unusual condition based on one or more groupings.And the operation of marker 114 can be consistent with the operation of a plurality of wireless devices to realize effective intrusion detection and isolation.In addition, Fig. 4 only illustrated when wireless device be that spy routine is just downloaded in storage when limited.In other embodiments, no matter whether wireless device is that storage is limited, can download to spy routine in the wireless device.
According to above explanation, can recognize that radio node 106a-106e or field device 104a-104n can indicate unusual condition or incident based on the one or more groupings that are directed to radio node or field device.Marker 114 can be based on determining from the report of one or more, one or more potential unusual conditions among radio node 106a-106e or the field device 104a-104n or incident: the transmitter of such grouping is potential invador.Thereby marker 114 can confirm that potential invador needs to be considered as the invador really so that the spy routine on one or more among radio node 106a-106e or the field device 104a-104n allows potential invador participate in further communication then.Can recognize that proceed to marker to spy routine along with handling from wireless device, transmitter is that invador's probability increases gradually.
May be noted that also that each step shown in Fig. 2 to 4 can operate simultaneously.In addition, after the step 410 in Fig. 4 and 412, marker 114 can (based on the result of the step 214 among Fig. 2 or 216) receives response to RFI from the wireless device of correspondence.Can there be follow-up RFI and to the response of RFI.The response that marker 114 can be handled RFI to determine invasion with higher certainty level.These determine also can be carried out by decision system 116.Marker 114 also can be via operator terminal 118 to operator notification or triggering alarm.
Can also recognize that from Fig. 2 to 4 wireless device can take place until unusual condition or incident in normal running (execution normal running).Thereby, can use less power to monitor invasion.This method may may exist in the environment of power constraints therein to be expected.For example, radio node 106a-106e and/or field device 104a-104n can be the battery powered devices as the part operation of industrial process control system.Therefore, expectation is the power that radio node 106a-106e and/or field device 104a-104n consume minimum.In addition, spy routine is downloaded to store limited device at least and can facilitate in wireless network 102 and use spy routine.Expect in the environment that this method may may exist storage to retrain therein.
Fig. 5 A and 5B illustrate according to example invasion situation of the present disclosure.Particularly, Fig. 5 A and 5B illustrate the operation and the example invasion situation of above-mentioned method 200 and 400.These invasion situations only are used for illustration and explanation.Can be under the situation that does not depart from the scope of the present disclosure in the system 100 of Fig. 1 or in what its suitable system in office other invasion situation takes place.
As noted above, wireless device (such as radio node 106a) can be carried out each treatment step to discern one or more possible unusual conditions or incident.For example, wireless device can at first be checked the destination MAC Address in the received data grouping.If the MAC Address of destination MAC Address coupling wireless device oneself, then wireless device can be checked the destination network address in the grouping.If the MAC Address and the network address that destination MAC Address and destination network address both are mated wireless device oneself, then wireless device can conclude that it is the final recipient (estimating the recipient) of packet.Wireless device can be checked the safe level parameter (or field) in the packet then.
If the destination network address in the packet is different from the network address (but MAC Address of destination MAC Address coalignment) of wireless device, then wireless device can conclude that packet plans to be sent to some other wireless devices of its MAC Address coupling destination network address.Wireless device can conclude that also packet will be forwarded to this other wireless device.Thereby, may be noted that wireless device can detect the unusual of MAC layer, network layer or security level.
Here may be noted that also that possible invador may pretend to be " legal " radio node or wireless field device according to the wireless technology of correspondence.For example, the invador can " listen to " thus near the data transmitted on the wireless medium obtain to be positioned at it radio node of (at its communication range) and/or the address of wireless field device.The invador can use this information to send the unwarranted wireless network that is grouped into then.
No matter basic reason how, provides some to show may invade representative unusual below.
(a) grouping is not to expect from dispensing device: as noted above, wireless field device 104a-104n can be such as distributing time slots by control station 110.On behalf of field device 104a-104n wherein, time slot can send or receive the time period of grouping.Provide the therebetween corresponding field device 104a-104n in pass can send or receive the information of the concrete time slot of grouping can for each radio node 106a-106e.Thereby, if radio node notice the packet that is received be in non-predetermined (non-scheduled) time slot (such as from pretending to be the invador of wireless field device) receive, then not this means and distribute time slot and therefore can show possible invasion to packet.
(b) packet that receives at the wireless device place does not comprise " effectively " destination-address (such as will be as the address of the final recipient's of packet device) of destination device: can receive with the MAC level address of wireless device and divide into groups.Yet, be in may the not match address of this wireless device or any other wireless device, the address of high-level protocol (such as network layer) more.Should determine the network address of the network 102 that can belong to based on for example all radio node 106a-106e.
(c) the grouping size (such as byte number) of packet is greater than or less than the expection size: generally speaking, and the minimum and maximum size of many networks (or corresponding technology/standard) setting data grouping.If the size of the grouping that receives not in these restrictions, then can detect unusual.Such network level of can representing unusually is unusual.
(d) packet that is received comprises mistake or incorrect Message Integrity Code (MIC): the MIC value is the unique code or the number that can be contained in each packet of transmitting on wireless network 102.Therefore reception with packet of invalid IMC value can be represented unusual.Such security level of can representing unusually is unusual.
(e) interim (Nonce) is unusual: each packet of transmission can be designed to have the field of interim number on the wireless network 102, the number of variate when this interim number normally has.If the nonce of packet is less than the currency of network 102, then this can indicate " rogue " device (invador) attempting to resend packet and thereby can represent unusual by the data service in " listening to " wireless medium potentially.Also can generate nonce at random.This can represent security level unusual unusually.
(f) sudden change of connection status (flip-flop): the invador can send has the grouping of setting up the effect that is connected with disconnection (safety).This can represent security level unusual unusually.
These unusually only are used for illustration.Can under the situation that does not depart from the scope of the present disclosure, check any other or additional unusual, unusual such as based on concrete environment.Can implement intruding detection system (such as system 100) with based on the unusual of these types and/or other or additional in unusual one, some or all ofly detect invasion.Fig. 5 A and 5B show example invasion situation, and it is used for illustrating the operation of intruding detection system 100.In Fig. 5 A and 5B, each parts in the system 100 of Fig. 1 can be omitted, and only illustrate among Fig. 1 understanding the necessary parts of following invasion situation.
In Fig. 5 A, device 502a is assumed to be the invador.Here invador 502a is shown and sends packet (by " A " among Fig. 5 A expression) to radio node 106e.Invador 502a can pretend to be another radio node or wireless field device.
Radio node 106e can check (this packet is not expected) that packet and specified data grouping receive in " mistake " time slot.As a result, radio node 106e can determine to occur unusual condition (by " B " expression).Wherein possible a kind of situation that this thing happens relates to invador 502a and pretends to be wireless field device and forward packets to radio node 106e in " mistake " time slot.
Under different situations, invador 502a is pretending to be another radio node and is sending packet, and this packet has the destination MAC Address identical with the MAC Address of radio node 106e will be (the destination device) invalid network address of packet relaying/be forwarded to but have radio node 106e.In this case, radio node 106e can notice that the destination network address is invalid and it is unusual therefore packet to be considered as representative.
In case detect unusually, radio node 106e just sends message grouping (by " C " expression) to marker 114.In other embodiments, replace sending the message grouping after detecting single anomalous event, radio node 106e can wait for the detection of a plurality of anomalous events and send the message grouping then.
In this example, marker 114 forwards a packet to decision system 116 (by " D " expression) to message.If decision system 116 detects or suspects invasion, then decision system 116 sends the notice (by " E " expression) of suspecting invasion to marker 114.In other embodiments, marker 114 itself can be made determining of invasion.
If suspect invasion, then marker 114 sends alarm (by " F " expression) via operator terminal 118 to the operator.Such as when limited device is stored in radio node 106e representative, marker 114 can randomly send spy routine (by " G " expression) to radio node 106e.Marker 114 also can randomly send respond packet (by " H " expression) to radio node 106e.The reception of respond packet activates the spy routine among the radio node 106e, and spy routine realizes the further investigation to invasion.Respond packet can be chosen wantonly, then can activate spy routine automatically in radio node 106e because if spy routine is downloaded to radio node 106e.
Fig. 5 B illustrates another example invasion situation.Device 502b is assumed to be the invador and is illustrated as sending the packet (expression by " A ' ") of going to radio node 106a.Packet has the address of radio node 106a in its destination network address field, and packet is received by radio node 106e.
Radio node 106e checks packet and can determine not detect unusual at MAC layer and network level.Radio node 106e adds timestamp with its oneself MAC Address and network layer address to grouping then and transmits this packet to radio node 106c (expression by " B ' ").Radio node 106c checks packet and can determine not detect unusual at MAC layer and network level similarly.Radio node 106c also adds timestamp with its oneself the MAC Address and the network address to grouping and transmits this packet to radio node 106a (expression by " C ' ").
Radio node 106a can receive packet and determine that security level is associated with packet unusually.For example, radio node 106a can notice that packet has incorrect MIC value.This is unusual determines to be represented by " D ' " among Fig. 5 B.
Radio node 106a sends message grouping (expression by " E ' ") then to marker 114.The message grouping can comprise the network address, the packet itself of unusual type (incorrect MIC value in this example), the time that receives grouping, invador 502b and comprise packet at the routing iinformation that advances to the transmission route of being followed the radio node 106a from invador 502b.Can use any suitable form to send this and/or other or additional information.In other embodiments, replace sending the message grouping afterwards detecting single anomalous event (single instance), radio node 106a can wait for the detection of a plurality of anomalous events (a plurality of example) and send the message grouping then.
Marker 114 is transmitted message and is grouped into decision system 116 (expression by " F ' ").In response, marker 114 receives the indication (expression by " G ' ") of suspecting invasion.In other embodiments, marker 114 itself can be made determining of invasion.
Because the packet that receives at marker 114 places has routing iinformation (transmission route and the address of the device 114 the transmission route from invador 502b to marker), so marker 114 can be determined the most close invador 502b of which radio node.Usually, as first recipient's who receives packet (first node in the communication route) the radio node radio node of the transmitter (originator) of close packet often.The physical location of each radio node (such as geographical indication or coordinate) can be such as in advance being offered marker 114 based on installation/deployment diagram via operator terminal 118 by the operator.In this example, marker 114 can determine that invador 502b is arranged in the zone near radio node 106e, and area that wherein should the zone is confirmable based on the sensitivity (it is normally known in advance) of the acceptor circuit of radio node 106e usually.
Marker 114 sends the alarm (expression by " H ' ") of suspecting invasion and the position or the zone that invador 502b wherein may occur to the operator.Such as when limited device is stored in radio node 106e representative, marker 114 can randomly send spy routine (expression by " I ' ") to radio node 106e.Marker 114 also can randomly send respond packet (expression by " J ' ") to radio node 106e.The reception of respond packet activates the spy routine (activating automatically unless spy routine is in response to download) among the radio node 106e, and spy routine realizes the further investigation to invasion.
In certain embodiments, whether marker 114 and (one or more) wireless device operation that wherein activates spy routine declare (declare) invasion with further investigation.In case to determine to occur invading greater than the probability of threshold level, just can start suitable corrective action influences wireless network 102 to prevent invador 502a-502b.For example, (one or more) wireless device of execution spy routine can be such as stopping the packet that receives from the invador by not transmitting packet to next node or device.This can prevent network mighty torrent (flooding) and Denial of Service attack.As another example, when invasion was determined, the keys for encryption/decryption that is generated by key server 112 can be changed (renewal) with the short time interval (bigger frequency).As another example, can start artificial/operator intervention from the operating area of network 102, to remove the invador.
In certain embodiments, when suspecting invasion, can in single wireless device, activate spy routine.In other embodiments, when suspecting invasion, can in a plurality of wireless devices, activate spy routine.When in a plurality of wireless devices, being activated, the spy routine in the wireless device can be each other mutual and cooperation so that identification and isolate invador in the wireless network 102.
Although Fig. 5 A and 5B illustrate the example of invasion situation, can make various changes to Fig. 5 A and 5B.For example, the invador can attempt slipping into wireless network with any other suitable manner.In addition, can or remove the invador with any other suitable manner detection and isolation.
Fig. 6 illustrates according to example marker 114 or wireless device (such as radio node 106a-106e or wireless device 104a-104n) in the wireless network intrusion detection system of the present disclosure.The marker 114 shown in Figure 6 or the embodiment of wireless device only are used for illustration.Can be under the situation that does not depart from the scope of the present disclosure other embodiment of usage flag device 114 or wireless device.In addition, marker 114 can have similar or different execution modes according to specific needs with wireless device.In addition, provide the illustrated together of marker 114 and wireless device to point out various difference between these parts simultaneously for simplicity's sake.
In this example, marker 114 or wireless device comprise processing unit 602, random-access memory (ram) 604, nonvolatile memory (NVM) 606, holder 608, I/O (I/O) interface 610, wave point 612 and antenna 614.Processing unit 602 is carried out various operations to implement the desired function in marker 114 or the wireless device.For example, in marker 114, processing unit 602 can receive message grouping and make about whether suspecting the determining of invasion (perhaps with decision system 116 mutual and allow decision system 116 to make this to determine).In radio node 106a-106e, processing unit 602 can be analyzed the packet that is received and determine whether to exist any unusual.In wireless field device 104a-104n, processing unit 602 can be operated process data to be provided, to implement control data and to detect unusual.Processing unit 602 comprises any suitable one or more processing unit.For example, processing unit 602 can comprise one or more processors.The application specific processor that this can comprise the general processor that can execute instruction and/or be suitable for specific tasks.Can provide instruction to general and application specific processor from RAM 604.As specific example, processing unit 602 can and be carried out described instruction to provide various functional from various types of memories (such as RAM 604, nonvolatile memory 606 and holder 608) reading command sequence.
On behalf of any suitable being used to, RAM 604 and nonvolatile memory 606 can store the storage and the indexing unit of any appropriate information.For example, RAM 604 can receive instruction and data and instruction is offered processing unit 602 for execution from nonvolatile memory 606.Nonvolatile memory 606 can store software commands and data, and described instruction and data makes marker 114 or wireless device to provide the functional of expectation at where applicable.Nonvolatile memory 606 can for example be implemented as read-only memory (ROM) or flash memory.
Holder 608 can comprise various storages and retrieval (retrieval) unit or parts, such as hard disk drive 616 and/or removable memory driver 618.Removable memory driver 618 can be represented the driver that can receive removable memory module 620, and this removable memory module can be represented the portable storage media.Floppy disk, tape drive, CD-ROM drive, DVD driver, flash interface and removable memory interface (such as PCMCIA or EPROM interface) are the examples of removable memory driver 618.Floppy disk, tape, CD, DVD, flash memory and removable storage chip (such as pcmcia card or EPROM) are the examples of removable memory module 620.Holder 608 can be used for store instruction and data, and described instruction and data makes marker 114 or wireless device that the functional of expectation can be provided.In the specific implementations of marker 114, some or all of instruction and datas may be provided on the removable memory module 620, and data can be read and be provided to processing unit 602 by removable memory driver 618 via RAM 604 with instruction.
It is a kind of such as the interface by there being thread path to receive data and data are sent to external device (ED) or system from external device (ED) or system that I/O interface 610 provides.I/O interface 610 can for example be used for making operator/user that input can be provided and receive output (under the situation of marker), before disposing, carry out diagnostic test (under the situation of radio node 106a-106e) or with transducer or actuator mutual (installing at the scene under the situation of 104a-104n).As specific example, I/O interface 610 can be used for being provided to operator terminal 118 about the alarm that may invade.Can implement I/O interface 610 in any suitable manner.
Wave point 612 makes marker 114 or wireless device to transmit and receive data by meeting the wireless medium (via antenna 614) of expecting communication protocol.Can implement wave point 612 in any suitable manner.As specific example, wave point 612 can be represented the RF transceiver.
In this example, each parts of bus 622 coupling markers 114 or radio node 106a-106e.Any suitable communication bus that can be used for facilitating the communication between the parts of bus 622 representatives.
As noted above, can make up with hardware, software, firmware or its and implement each wireless device and marker 114.Generally speaking, when throughput performance is main Consideration, may carry out this execution mode with hardware (such as form) more with application-specific integrated circuit (ASIC).When cost is main Consideration, may be more carry out this execution mode with software (such as with by the processor of the instruction that provides in executive software/firmware is provided).Can mix to come balance cost and performance by the expectation of hardware, software and/or firmware.
Although Fig. 6 illustrates a marker 114 in the wireless network intrusion detection system or an example of wireless device, can make various changes to Fig. 6.For example, function division shown in Figure 6 only is used for illustration.Can make up or omit each parts among Fig. 6 and can add optional feature according to specific needs.As specific example, if unwanted words can be omitted specific memory or holder.In addition, as noted above, can use any suitable hardware, software, firmware or its to make up and implement marker 114 or wireless device.As a result, Fig. 6 only illustrates one of many possibility execution modes of marker 114 or wireless device.
Fig. 7 illustrates according to the configuration of the example memory in the wireless device of the present disclosure 700.The embodiment of memory configurations 700 shown in Figure 7 only is used for illustration.Can under the situation that does not depart from the scope of the present disclosure, use other embodiment of memory configurations 700.
As noted above, marker 114 can activate the spy routine among one or more radio node 106a-106e and/or the field device 104a-104n when detecting may the invading of wireless network 102.Randomly, marker 114 can download to one or more radio node 106a-106e and/or field device 104a-104n to spy routine.For example when the limited device of one or more radio node 106a-106e and/or field device 104a-104n representative storage, this may be of great use.On behalf of a kind of (such as in RAM 604, nonvolatile memory 606 and holder 608), store limited device can lack to be used to and store spy routine and be the wireless device of enough memories of the required code of the normal running of wireless device.
For allowing spy routine to be used to store limited device (and other wireless device of possibility), marker 114 can download to wireless device to spy routine to carry out on this wireless device.This can for example take place after detecting potential invasion.In certain embodiments, spy routine can only be downloaded to the limited wireless device of storage, and spy routine can reside on the limited wireless device of non-storage more enduringly.In other embodiments, when needing spy routine at each wireless device place, spy routine can be downloaded to this wireless device (no matter whether wireless device is that storage is limited).Spy routine can be carried out by wireless device then.When spy routine complete, store limited wireless device and can delete or cancel detective's illustration, and can be downloaded to wireless device for the required code of normal running of wireless device.This allows the limited wireless device enabling of storage.If spy routine is downloaded to the limited wireless device of non-storage, the limited wireless device of then non-storage can allow spy routine to be retained in its memory, and spy routine can be deleted or cancel to the limited wireless device of perhaps non-storage.
As shown in Figure 7, the arrangements of memory 700 of wireless device comprises each section 702-704.Each section 702-704 is used for various objectives, promptly stores data of different types.For example, code segment 702 is used for storing instruction and other program of radio node 106a-106e or field device 104a-104n execution.As specific example, code segment 702 can be stored can be by the binary system the carried out task image of 602 execution of the processing unit in the wireless device.The used data of program that data segment 704 storages are carried out by radio node 106a-106e or field device 104a-104n.As specific example, data segment 704 can be stored in carries out the data that wireless device uses, collects or generate during the binary system task image, such as initializing variable.Open the block (BlockStarted by Symbol) of beginning or the employed data of program that " BSS " section 706 is stored by the no initializtion among radio node 106a-106e or the field device 104a-104n by symbol.As specific example, BSS section 706 can be stored the variable of no initializtion.Exchange section 708 is used as swapping memory, and it can support the use of the virtual memory among radio node 106a-106e or the field device 104a-104n.Other section also can be used in the arrangements of memory 700, such as heap section and stack segment.
During normal running, one or more primary application programs can reside in the memory configurations 700 of wireless device, such as in code segment 702.Primary application program can be represented the software or the firmware of the startup, steady state operation and the termination phase that help wireless device.Primary application program often is subdivided into different layers, such as application layer software, safe floor software, network layer software and MAC/ physics (PHY) layer software.
In certain embodiments, one or more primary application programs are divided into module (it also can be known as feature or function).Some modules of primary application program may be optional to the steady state operation of radio node 106a-106e or field device 104a-104n.For example, at safe floor, the layer function of initializing, function is set up in session and key updating function (relating to the cipher key change between key server 112 and the wireless device) may be optional to the steady state operation of wireless device.In MAC layer and network layer, the node discovery feature may be optional to the steady state operation of wireless device.In application layer, layer function of initializing may be optional to the steady state operation of wireless device.These modules only are used for illustration rather than exhaustive, and any other or add-on module can be regarded as for the steady state operation of wireless device optional.In addition, this module list can be expanded or reduces according to the importance of the difference in functionality in the steady state operation situation of wireless device.
Such as the precompile stage before the software/firmware of compiling wireless device, can discern the optional module of the steady state operation of wireless device.Use compiler directive or other technology, these modules can be arranged in the continuous memory cell of wireless device, in the code segment in the wireless node apparatus 702.
When needs were carried out spy routine with the invador in affirmation or the isolation wireless network 102, spy routine can be downloaded in the wireless device.For example, spy routine can be downloaded and be stored in the exchange section 708 of memory configurations 700.Spy routine can be stored in the code segment 702 then, such as in the continuous memory cell that comprises the optional module of steady state operation of wireless device.The deviation post that spy routine is stored in the code segment 702 can be determined when compiling.Code in the code segment 702 means that only partly to be exchanged some codes that have only in the code segment 702 need be capped.This allows to continue the steady state operation of wireless device when spy routine just is being downloaded and is storing.The exchange of this part can be by at its variable storage and calculate and need regulate spy routine and facilitate to utilize heap and stack (rather than use data segment 704).In case spy routine is loaded in the code segment 702, dynamically link (re-linking) generation again of the security functionality in the wireless device, and can under the situation that does not make the wireless device off line, carry out spy routine.
In case spy routine is complete, wireless device just can be downloaded the module that is covered by spy routine.The module of being downloaded can original stored also be loaded in the code segment 702 in exchange section 704 then.The dynamically link generation again of institute's download module, and wireless device can enabling under the situation that does not make the wireless device off line.All these take place when can continue at the steady state operation of wireless device.For example, software/firmware upgrades (download of spy routine and the download of module) and steady state operation can be handled simultaneously, such as by the timesharing task in the operating system of they being regarded as wireless device.
Top specification has illustrated after finishing spy routine module has been re-loaded in the wireless device.Yet, module is reloaded in the wireless device and can taken place At All Other Times.For example, can inform that marker 114 wireless devices will be restarted (and therefore may need module in the termination of device with during follow-up the startup stage) back module is re-loaded in the wireless device.
Although Fig. 7 illustrates an example of the memory configurations 700 in the wireless device, can make various changes to Fig. 7.For example, wireless device can comprise any other suitable arrangements of memory.In addition, wireless device can use any other suitable technique to load spy routine and turn back to normal running.
In certain embodiments, above-mentioned various functions are implemented by computer program or are supported that this computer program is formed and is comprised in the computer readable medium by computer readable program code.Term " computer readable program code " comprises the computer code of any kind, comprises source code, object code and executable code.What term " computer readable medium " comprised any kind can be by the media of computer access, such as the memory of read-only memory (ROM), random-access memory (ram), hard disk drive, compact disk (CD), digital video/multipurpose CD (DVD) or any other type.The exemplary computer readable medium can be random-access, volatibility, non-volatile, movably or immovable.Though computer readable medium can be illustrated or be illustrated as in system or device and provide, computer readable medium also may be provided in the outside of system or device.
The definition that elaboration spreads all over used specific words of patent document or phrase may be favourable.Term " grouping " refers to any information-bearing signal of communication, no matter the form that is used for specific communication signal how.Term " application program ", " program " and " routine " refer to one or more computer programs, instruction set, process, function, object, class, example or the relevant data that is suitable for suitable computer language enforcement.Whether each other term " coupling " and derivative thereof refer to any direct or indirect communication between two or more elements, no matter these elements physics contact.Term " transmission ", " reception " and " transmission " with and derivative contain directly and indirect communication.Term " comprise " and " comprising " with and derivative mean and include but not limited to.Term " or " be inclusive, mean and/or.Term " with ... be associated " and " being associated " with it with and derivative can mean and comprise, be included in ... interior, with ... interconnect, comprise, be comprised in ... interior, be connected to or with ... connect, be coupled to or with ... coupling, can with ... communication, with ... cooperate, interweave and put, the most close, be bound to or with ... bind, have, have ... attribute or the like.Term " controller " means device, system or its part of any at least one operation of control.Controller can make up with certain of two of hardware, firmware, software or its implement at least.Can be on Local or Remote ground, concentrate or that distribution is associated with any specific controller is functional.
Though the disclosure has illustrated specific embodiment and the method that is associated substantially, the change of these embodiment or displacement will be conspicuous to those skilled in the art.Therefore, the top explanation of example embodiment does not limit or retrains the disclosure.Under the situation of the spirit and scope that do not depart from the invention that appended claims limits, other changes, replaces or change also is possible.

Claims (10)

1. system comprises:
(104a-104n 106a-106e), is configured to receive packet by wireless medium a plurality of wireless devices, and at least one in the described wireless device is configured to detect be associated with the packet that is received one or more unusual; And
Marker device (114) is configured to the one or more transmission spy routine in wireless device in response to one or more unusual detections;
Wherein one or more wireless devices also are configured to carry out spy routine to facilitate at least one in following: whether the transmitter of determining the packet that received is the invador and isolates transmitter.
2. the system of claim 1, wherein the marker device is configured to also determine whether this wireless device is the limited wireless device of storage before transmitting spy routine to one of wireless device.
3. the system of claim 1, wherein store limited wireless device and also be configured to:
Carry out primary application program during normal running, described primary application program comprises a plurality of modules; And
Replace in described a plurality of module at least one with spy routine;
Wherein at least one module is optional for the steady state operation of the limited wireless device of storage; And
Wherein under the situation that does not make the limited wireless device off line of storage, replace at least one module.
4. the system of claim 3, wherein store limited wireless device and also be configured to:
Receive at least one module from external source; And
Under the situation that does not make the limited wireless device off line of storage, replace spy routine and turn back to normal running so that store limited wireless device with the module that at least one received.
5. the system of claim 1, wherein:
The marker device is configured to spy routine is sent to first subclass of wireless device; And
Spy routine resides on second subclass of wireless device, and the marker device is configured to the spy routine in second subclass of activation of wireless device.
6. method comprises:
(104a-104n 106a-106e) locates to receive (202) packet from transmitter at wireless device;
Detect one or more unusual that (204) are associated with packet;
In response to detecting one or more (208) notices that transmit unusually;
Receive (216) spy routine at the wireless device place; And
Carry out (216) spy routine to facilitate at least one in following: determine whether transmitter is the invador and isolates transmitter.
7. the method for claim 6, wherein wireless device is the limited wireless device of storage, the quantity not sufficient of its memory that has (604,606,608) is to be stored in primary application program and the spy routine of using between error-free running period.
8. the method for claim 7 also comprises:
Carry out primary application program at the wireless device place during normal running, described primary application program comprises a plurality of modules; And
Replace in described a plurality of module at least one with spy routine;
Wherein at least one module is optional for the steady state operation of the limited wireless device of storage; And
Wherein under the situation that does not make the limited wireless device off line of storage, replace at least one module.
9. equipment comprises:
Interface (610,612), be configured to from a plurality of wireless devices (104a-104n, one of 106a-106e) reception notification, described notice and wireless device are detected one or morely is associated unusually; And
At least one processor (602), be configured to discern at least one in the wireless device and start spy routine is sent at least one wireless device, spy routine is facilitated at least one in following: determine whether the transmitter in the wireless network is the invador and isolates transmitter.
10. the equipment of claim 9, wherein said at least one processor is configured to also determine that at least one wireless device is the limited wireless device of storage, its memory that has (604,606,608) quantity not sufficient is to be stored in primary application program and the spy routine of using between error-free running period.
CN2008801154423A 2007-09-11 2008-09-05 Apparatus and method for deploying a wireless network intrusion detection system to resource-constrained devices Expired - Fee Related CN101855864B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US11/900,623 US7966660B2 (en) 2007-05-23 2007-09-11 Apparatus and method for deploying a wireless network intrusion detection system to resource-constrained devices
US11/900623 2007-09-11
PCT/US2008/075348 WO2009035914A1 (en) 2007-09-11 2008-09-05 Apparatus and method for deploying a wireless network intrusion detection system to resource-constrained devices

Publications (2)

Publication Number Publication Date
CN101855864A true CN101855864A (en) 2010-10-06
CN101855864B CN101855864B (en) 2013-07-10

Family

ID=40452413

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2008801154423A Expired - Fee Related CN101855864B (en) 2007-09-11 2008-09-05 Apparatus and method for deploying a wireless network intrusion detection system to resource-constrained devices

Country Status (4)

Country Link
US (1) US7966660B2 (en)
EP (1) EP2198553A4 (en)
CN (1) CN101855864B (en)
WO (1) WO2009035914A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108536579A (en) * 2017-03-01 2018-09-14 维布络有限公司 Resource-constrained devices test system and method

Families Citing this family (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE502007006224D1 (en) * 2007-09-04 2011-02-17 Siemens Ag A method for detecting a service prevention attack and communication terminal
US8184038B2 (en) * 2008-08-20 2012-05-22 Qualcomm Incorporated Two-way ranging with inter-pulse transmission and reception
US10055251B1 (en) 2009-04-22 2018-08-21 The Trustees Of Columbia University In The City Of New York Methods, systems, and media for injecting code into embedded devices
GB2476292B (en) * 2009-12-18 2015-02-11 Applied Concepts Ltd Intruder deterrent systems
US9392017B2 (en) 2010-04-22 2016-07-12 The Trustees Of Columbia University In The City Of New York Methods, systems, and media for inhibiting attacks on embedded devices
NL2007180C2 (en) * 2011-07-26 2013-01-29 Security Matters B V Method and system for classifying a protocol message in a data communication network.
US9405283B1 (en) * 2011-09-22 2016-08-02 Joseph P. Damico Sensor sentinel computing device
KR102132501B1 (en) * 2012-02-15 2020-07-09 더 트러스티이스 오브 콜롬비아 유니버시티 인 더 시티 오브 뉴욕 Methods, systems, and media for inhibiting attacks on embedded devices
KR101820323B1 (en) * 2013-08-19 2018-01-19 엠파이어 테크놀로지 디벨롭먼트 엘엘씨 Secure wireless device connection using power line messages
WO2015130639A1 (en) * 2014-02-28 2015-09-03 Rasband Paul B Wireless sensor network
US9792129B2 (en) 2014-02-28 2017-10-17 Tyco Fire & Security Gmbh Network range extender with multi-RF radio support for plurality of network interfaces
US10878323B2 (en) 2014-02-28 2020-12-29 Tyco Fire & Security Gmbh Rules engine combined with message routing
US10050865B2 (en) 2014-02-28 2018-08-14 Tyco Fire & Security Gmbh Maintaining routing information
US9541631B2 (en) 2014-02-28 2017-01-10 Tyco Fire & Security Gmbh Wireless sensor network
CN104135748A (en) * 2014-08-02 2014-11-05 张力 A technology of fixed node wireless micro power automatic remote communication without routing
US10657262B1 (en) 2014-09-28 2020-05-19 Red Balloon Security, Inc. Method and apparatus for securing embedded device firmware
US9280389B1 (en) 2014-12-30 2016-03-08 Tyco Fire & Security Gmbh Preemptive operating system without context switching
CN106165367B (en) * 2014-12-31 2019-06-21 华为技术有限公司 Access control method for storage device, storage device and control system
US10015188B2 (en) * 2015-08-20 2018-07-03 Cyberx Israel Ltd. Method for mitigation of cyber attacks on industrial control systems
EP3144842A1 (en) * 2015-09-15 2017-03-22 Siemens Aktiengesellschaft System and method for analysis of an object
US10708298B2 (en) * 2015-11-03 2020-07-07 Axiom, Inc. Methods and apparatus for system having denial of services (DOS) resistant multicast
EP3593511B1 (en) 2017-03-08 2021-04-28 Carrier Corporation Systems and method to address the security vulnerability in wireless networks

Family Cites Families (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5915119A (en) * 1996-10-01 1999-06-22 Ncr Corporation Proxy terminal for network controlling of power managed user terminals in suspend mode
US6052778A (en) * 1997-01-13 2000-04-18 International Business Machines Corporation Embedded system having dynamically linked dynamic loader and method for linking dynamic loader shared libraries and application programs
US6408391B1 (en) * 1998-05-06 2002-06-18 Prc Inc. Dynamic system defense for information warfare
JP3994614B2 (en) * 2000-03-13 2007-10-24 株式会社日立製作所 Packet switch, network monitoring system, and network monitoring method
US7197563B2 (en) * 2001-05-31 2007-03-27 Invicta Networks, Inc. Systems and methods for distributed network protection
WO2002033547A1 (en) * 2000-10-17 2002-04-25 British Telecommunications Public Limited Company Mobile programs
US7143441B2 (en) * 2001-05-08 2006-11-28 Aramira Corporation Wireless device mobile application security system
WO2003088532A1 (en) 2002-04-11 2003-10-23 The Johns Hopkins University Intrusion detection system for wireless networks
US7778606B2 (en) 2002-05-17 2010-08-17 Network Security Technologies, Inc. Method and system for wireless intrusion detection
US6986161B2 (en) * 2002-08-12 2006-01-10 Harris Corporation Mobile ad-hoc network with intrusion detection features and related methods
AU2003279071A1 (en) * 2002-09-23 2004-04-08 Wimetrics Corporation System and method for wireless local area network monitoring and intrusion detection
US7246156B2 (en) * 2003-06-09 2007-07-17 Industrial Defender, Inc. Method and computer program product for monitoring an industrial network
KR20050080664A (en) * 2004-02-10 2005-08-17 주식회사 팬택앤큐리텔 System and its method for providing computer virus vaccine program using wireless communication terminal
US7761923B2 (en) * 2004-03-01 2010-07-20 Invensys Systems, Inc. Process control methods and apparatus for intrusion detection, protection and network hardening
WO2005112390A1 (en) * 2004-05-12 2005-11-24 Alcatel Automated containment of network intruder
KR100628325B1 (en) * 2004-12-20 2006-09-27 한국전자통신연구원 Intrusion detection sensor and wireless network intrusion detection system and method for detecting attack on wireless network
US7424745B2 (en) * 2005-02-14 2008-09-09 Lenovo (Singapore) Pte. Ltd. Anti-virus fix for intermittently connected client computers
FI20050561A0 (en) * 2005-05-26 2005-05-26 Nokia Corp Processing of packet data in a communication system
US20070021140A1 (en) * 2005-07-22 2007-01-25 Keyes Marion A Iv Wireless power transmission systems and methods
US8381297B2 (en) * 2005-12-13 2013-02-19 Yoggie Security Systems Ltd. System and method for providing network security to mobile devices
US7971251B2 (en) * 2006-03-17 2011-06-28 Airdefense, Inc. Systems and methods for wireless security using distributed collaboration of wireless clients
US8429746B2 (en) * 2006-05-22 2013-04-23 Neuraliq, Inc. Decoy network technology with automatic signature generation for intrusion detection and intrusion prevention systems

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108536579A (en) * 2017-03-01 2018-09-14 维布络有限公司 Resource-constrained devices test system and method
CN108536579B (en) * 2017-03-01 2021-04-16 维布络有限公司 Resource-constrained device testing system and method

Also Published As

Publication number Publication date
EP2198553A1 (en) 2010-06-23
US20080291017A1 (en) 2008-11-27
CN101855864B (en) 2013-07-10
EP2198553A4 (en) 2014-08-27
US7966660B2 (en) 2011-06-21
WO2009035914A1 (en) 2009-03-19

Similar Documents

Publication Publication Date Title
CN101855864B (en) Apparatus and method for deploying a wireless network intrusion detection system to resource-constrained devices
US10862926B2 (en) Cybersecurity threat detection and mitigation system
CN103051601B (en) For providing the method for network security
Verba et al. Idaho national laboratory supervisory control and data acquisition intrusion detection system (SCADA IDS)
US10944765B2 (en) Security system for machine to machine cyber attack detection and prevention
US20080295171A1 (en) Intrusion Detection System For Wireless Networks
Lamba et al. Mitigating zero-day attacks in IoT using a strategic framework
CN104012027A (en) System and method for cloud based scanning for computer vulnerabilities in a network environment
CN102428677A (en) Sanitization of packets
US7360250B2 (en) Illegal access data handling apparatus and method for handling illegal access data
US11546295B2 (en) Industrial control system firewall module
JPWO2020075808A1 (en) Information processing equipment, log analysis method and program
Graveto et al. A network intrusion detection system for building automation and control systems
Januário et al. Security challenges in SCADA systems over Wireless Sensor and Actuator Networks
CN107181722A (en) Vehicle safety communications method, device, vehicle multimedia system and vehicle
US20190026478A1 (en) Vehicle secure communication method and apparatus, vehicle multimedia system, and vehicle
CN117220752B (en) Satellite-ground data transmission link safety transmission system and method
CN101212753A (en) Safety protection method for data stream
CN115189905B (en) Network communication and safety control integrated machine and working method thereof
Thankappan et al. A distributed and cooperative signature-based intrusion detection system framework for multi-channel man-in-the-middle attacks against protected Wi-Fi networks
EP3254223B1 (en) Security system for machine to machine cyber attack detection and prevention
Pozniak et al. RF exploitation and detection techniques using software defined radio: A survey
US10972486B2 (en) Cyber security system for internet of things connected devices
Driouch et al. Distributed intrusion detection system for CubeSats, based on deep learning packets classification model
Xu et al. MP-Mediator: Detecting and Handling the New Stealthy Delay Attacks on IoT Events and Commands

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20130710

Termination date: 20190905

CF01 Termination of patent right due to non-payment of annual fee